CVE-2026-28318 HIGH

CVE-2026-28318: SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability

Vendor Solarwinds

Product Serv-U

Weakness CWE-400

KEV Status Known Exploited

Published June 4, 2026

Last update June 6, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

June 4, 2026 CVE published

June 6, 2026 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28318 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html CISA KEV Reference https://www.solarwinds.com/trust-center/security-advisories/cv… CISA KEV Reference https://documentation.solarwinds.com/en/success_center/servu/c… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2026-28318

Related vulnerabilities

CVE-2026-28318: SolarWinds Serv-U Unauthenticated Denial of Service Vulnerability

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE